Enhancing ScheduleRunner

In the arsenal of a red team operator, adaptability and stealth are paramount. The latest addition to ScheduleRunner, the ability to edit existing scheduled tasks, provides an even greater level of flexibility and control. Already a versatile tool for managing scheduled tasks, this enhancement focuses on evasion and operational flexibility, making it a valuable asset for simulating advanced persistent threats (APTs).

ScheduleRunner at a Glance

ScheduleRunner enables seamless interaction with Windows Task Scheduler, offering a streamlined command-line interface for creating, managing, and now editing tasks. Its standout feature is the inclusion of evasion techniques inspired by real-world malware tactics, such as the Tarrask malware attributed to the HAFNIUM group.

Key capabilities include:

• Task Modification: Replace programs, update arguments, and reorganize execution order.
• Dynamic Scheduling: Modify or add triggers like “daily” or “onlogon.”
• Evasion: Leverage the “hide” technique to make tasks invisible in task queries.
• Remote Task Management: Edit tasks on remote systems, provided sufficient privileges.

Introducing Task Editing

The task editing functionality aligns perfectly with red team objectives, offering:

• Covert Task Modification
  Replace or update legitimate scheduled tasks with payloads while maintaining operational continuity. For example:

ScheduleRunner.exe /method:edit /taskname:backup /program:"C:\Payload\backdoor.exe" /argument:"--exec ls"

If more than one actions are embedded in the task, specify which one should be replaced. For example:

ScheduleRunner.exe /method:edit /taskname:backup /program:"C:\Payload\backdoor.exe" /oldaction:"C:\Windows\notepad.exe"

This tactics mimic a legitimate task to avoid detection by defenders.

• Action Insertion for Persistent Access

Insert a malicious execution action into existing tasks, carefully placing it in the action sequence to avoid suspicion.

ScheduleRunner.exe /method:edit /taskname:daily_check /program:"C:\Payload\agent.exe" /order:2

By embedding within a larger set of actions, the payload can fly under the radar.

In both those examples, the trigger option can also be added with the values “daily” or “onlogon”.

Why This Matters

The addition of editing functionality reduces the need for creating tasks from scratch, saving time and effort. Moreover, its support for action reordering and dynamic triggers makes it a powerful tool for adapting to changing requirements while operators can stealthily repurpose legitimate workflows, reducing forensic artifacts and minimizing the risk of detection. ScheduleRunner empowers operators to adapt quickly to shifting blue team defenses, ensuring continued access and operational success in adversarial simulations.

The complete project files accompanying this blog post can be found at the HackCraft Github.